search

integrations / terraform-provider-github

Terraform GitHub provider
https://www.terraform.io/docs/providers/github/
MIT License
879 stars 719 forks source link

[BUG]: OpenTofu registry is missing GPG keys for this provider #2183

Closed venkatamutyala closed 2 months ago

venkatamutyala commented 5 months ago

Expected Behavior

I wasn't expecting this notification when using opentofu:

image

Actual Behavior

I am being warned that signature validation was skipped

Terraform Version

opentofu 1.6.2

Affected Resource(s)

Initialization of the provider

Terraform Configuration Files

No response

Steps to Reproduce

Use opentofu and initalize with the github provider

Debug Output

No response

Panic Output

No response

Code of Conduct

venkatamutyala commented 5 months ago

I believe the fix is that GitHub needs to just submit their provider GPG key to opentofu:

https://github.com/opentofu/registry?tab=readme-ov-file

https://github.com/opentofu/registry/issues/new?assignees=&labels=provider-key%2Csubmission&projects=&template=provider_key.yml&title=Provider+Key%3A+

cube2222 commented 5 months ago

OpenTofu Technical Lead here - Just a note @kfcampbell, as you've marked this as up for grabs - the public gpg key needs to be submitted by a member of this organization, for the registry to accept it.

kfcampbell commented 5 months ago

Hmm...our private key is stored as an Actions secret, which is great because the actual content of it isn't stored anywhere else to my knowledge. I unfortunately have no idea where our public key exists as a file. This could be a bit of a hassle.

cube2222 commented 5 months ago

@kfcampbell you’ve probably added it to the HashiCorp registry, and should be able to get it out of there.

StephenWithPH commented 5 months ago

@kfcampbell

If you can't get the your public key from any other source, you can get it via:

curl 'https://registry.terraform.io/v1/providers/integrations/github/6.0.1/download/linux/amd64' | jq --raw-output '.signing_keys | .gpg_public_keys | .[0] | .ascii_armor' > github_registry_key.pub

Note that the /6.0.1/download/linux/amd64 portion of the URL is necessary solely to satisfy the registry's API.

I attached the key for reference. github_registry_key.pub.txt

You can get its fingerprint:

gpg2 --with-fingerprint github_registry_key.pub

... which should return

pub   rsa4096/0x38027F80D7FD5FB2 2020-09-03 [SC]
      Key fingerprint = F319 28FA CE52 F1A1 3A6C  60EA 3802 7F80 D7FD 5FB2
uid                             terraform-provider-github (https://www.terraform.io/docs/registry/providers/publishing.html#preparing-and-adding-a-signing-key) <jcudit@github.com>
sub   rsa4096/0x52C9A746AB3CA576 2020-09-03 [E]
      Key fingerprint = 7A4F 66FD EDDB 55B0 818A  B464 52C9 A746 AB3C A576

Key fingerprint = F319 28FA CE52 F1A1 3A6C 60EA 3802 7F80 D7FD 5FB2

matches your build logs:

https://github.com/integrations/terraform-provider-github/actions/runs/7934263784/job/21664855922#step:6:9

... since that env var is used by goreleaser to sign: https://github.com/goreleaser/goreleaser-action?tab=readme-ov-file#signing

StephenWithPH commented 3 months ago

@kfcampbell ... are you able to use the instructions above to get the key? Once you have that key, the PR to Open Tofu should be very easy: https://github.com/opentofu/registry/issues/new?assignees=&labels=provider-key%2Csubmission&projects=&template=provider_key.yml&title=Provider+Key%3A+

Only you (or someone else from GitHub) can take care of this.

Once you do so, it will allow users of GitHub and OpenTofu to securely use this provider to manage their GitHub resources.

wjbabicz commented 3 months ago

Bumping, trying to migrate our workflows to OpenTofu and cannot pull in the Github provider because of the missing GPG keys.

pascal-hofmann commented 2 months ago

@kfcampbell Any update on this?

After several months in the "terraform vs. opentofu" limbo and being stuck on terraform 1.5 my organisation now also decided to switch to OpenTofu. It would be great to be able to properly install the GitHub provider.

venkatamutyala commented 2 months ago

Just tried escalating via GitHub Support. here is their response:

image
StephenWithPH commented 2 months ago

Just tried escalating via GitHub Support. here is their response:

We had similar experience with support. For those of us using GitHub Enterprise, I suggest reaching out via sales channels to see if we can get traction.

pascal-hofmann commented 2 months ago

@nickfloyd Can you maybe help with that?

Thanks in advance! Pascal

venkatamutyala commented 2 months ago

Just tried escalating via GitHub Support. here is their response:

We had similar experience with support. For those of us using GitHub Enterprise, I suggest reaching out via sales channels to see if we can get traction.

Anyone here spending a decent amount on GitHub enterprise that could help push this forward via their sales rep?

kfcampbell commented 2 months ago

Hi! Sorry it's taken me so long here. I've opened https://github.com/opentofu/registry/issues/675 where I've attempted to follow the instructions from @StephenWithPH here. Please let me know if you'd like me to upload the key in a .pub file or make any other changes!

pascal-hofmann commented 2 months ago

Thanks for taking care of this. The key is now available in the OpenTofu registry and signature validation works. 🚀

This issue can be closed.